Added in employee authentication

Author: allmightyspiff

README-internal.md

@@ -0,0 +1,40 @@
+This document is for internal users wanting to use this library to interact with the internal API. It will not work for `api.softlayer.com`.
+
+
+## Certificate Example
+
+For use with a utility certificate. In your config file (usually `~/.softlayer`), you need to set the following:
+
+```
+[softlayer]
+endpoint_url = https://<internal api endpoint>/v3/internal/rest/
+timeout = 0
+theme = dark
+auth_cert = /etc/ssl/certs/my_utility_cert-dev.pem
+server_cert = /etc/ssl/certs/allCAbundle.pem
+```
+
+`auth_cert`: is your utility user certificate
+`server_cert`: is the CA certificate bundle to validate the internal API ssl chain. Otherwise you get self-signed ssl errors without this.
+
+
+```
+import SoftLayer
+import logging
+import click
+
+@click.command()
+def testAuthentication():
+	client = SoftLayer.CertificateClient()
+	result = client.call('SoftLayer_Account', 'getObject', id=12345, mask="mask[id,companyName]")
+	print(result)
+
+
+if __name__ == "__main__":
+	logger = logging.getLogger()
+	logger.addHandler(logging.StreamHandler())
+	logger.setLevel(logging.DEBUG)
+	testAuthentication()
+```
+
+## Employee Example

SoftLayer/API.py

@@ -6,6 +6,7 @@
     :license: MIT, see LICENSE for more details.
 """
 # pylint: disable=invalid-name
+import os
 import time
 import warnings
 
@@ -28,6 +29,7 @@
 
 __all__ = [
     'create_client_from_env',
+    'employee_client',
     'Client',
     'BaseClient',
     'API_PUBLIC_ENDPOINT',
@@ -144,6 +146,102 @@ def create_client_from_env(username=None,
     return BaseClient(auth=auth, transport=transport, config_file=config_file)
 
 
+def employee_client(username=None,
+                    access_token=None,
+                    password=None,
+                    endpoint_url=None,
+                    timeout=None,
+                    auth=None,
+                    config_file=None,
+                    proxy=None,
+                    user_agent=None,
+                    transport=None,
+                    verify=False):
+    """Creates an INTERNAL SoftLayer API client using your environment.
+
+    Settings are loaded via keyword arguments, environemtal variables and
+    config file.
+
+    :param username: your user ID
+    :param access_token: hash from SoftLayer_User_Employee::performExternalAuthentication(username, password, 2fa_string)
+    :param password: password to use for employee authentication
+    :param endpoint_url: the API endpoint base URL you wish to connect to.
+        Set this to API_PRIVATE_ENDPOINT to connect via SoftLayer's private
+        network.
+    :param proxy: proxy to be used to make API calls
+    :param integer timeout: timeout for API requests
+    :param auth: an object which responds to get_headers() to be inserted into
+        the xml-rpc headers. Example: `BasicAuthentication`
+    :param config_file: A path to a configuration file used to load settings
+    :param user_agent: an optional User Agent to report when making API
+        calls if you wish to bypass the packages built in User Agent string
+    :param transport: An object that's callable with this signature:
+                      transport(SoftLayer.transports.Request)
+    :param bool verify: decide to verify the server's SSL/TLS cert. DO NOT SET
+                        TO FALSE WITHOUT UNDERSTANDING THE IMPLICATIONS.
+
+    Usage:
+
+        >>> import SoftLayer
+        >>> client = SoftLayer.create_client_from_env()
+        >>> resp = client.call('Account', 'getObject')
+        >>> resp['companyName']
+        'Your Company'
+
+    """
+    # SSL verification is OFF because internal api uses a self signed cert
+    settings = config.get_client_settings(username=username,
+                                          api_key=None,
+                                          endpoint_url=endpoint_url,
+                                          timeout=timeout,
+                                          proxy=proxy,
+                                          verify=verify,
+                                          config_file=config_file)
+
+    url = settings.get('endpoint_url') or consts.API_EMPLOYEE_ENDPOINT
+
+    if 'internal' not in url:
+        raise exceptions.SoftLayerError("{} does not look like an Internal Employee url. Try {}".format(
+                                         url, consts.API_EMPLOYEE_ENDPOINT))
+
+    if transport is None:
+        
+        if url is not None and '/rest' in url:
+            # If this looks like a rest endpoint, use the rest transport
+            transport = transports.RestTransport(
+                endpoint_url=settings.get('endpoint_url'),
+                proxy=settings.get('proxy'),
+                timeout=settings.get('timeout'),
+                user_agent=user_agent,
+                verify=verify,
+            )
+        else:
+            # Default the transport to use XMLRPC
+            transport = transports.XmlRpcTransport(
+                endpoint_url=settings.get('endpoint_url'),
+                proxy=settings.get('proxy'),
+                timeout=settings.get('timeout'),
+                user_agent=user_agent,
+                verify=verify,
+            )
+
+
+    if access_token is None:
+        access_token = settings.get('access_token')
+
+    user_id = settings.get('userid')
+
+    # Assume access_token is valid for now, user has logged in before at least.
+    if access_token and user_id:
+        auth = slauth.EmployeeAuthentication(user_id, access_token)
+        return EmployeeClient(auth=auth, transport=transport)
+    else:
+        # This is for logging in mostly.
+        LOGGER.info("No access_token or userid found in settings, creating a No Auth client for now.")
+        return EmployeeClient(auth=None, transport=transport)
+
+
+
 def Client(**kwargs):
     """Get a SoftLayer API Client using environmental settings."""
     return create_client_from_env(**kwargs)
@@ -282,6 +380,7 @@ def call(self, service, method, *args, **kwargs):
         request.filter = kwargs.get('filter')
         request.limit = kwargs.get('limit')
         request.offset = kwargs.get('offset')
+        request.url = self.settings['softlayer'].get('endpoint_url')
         if kwargs.get('verify') is not None:
             request.verify = kwargs.get('verify')
 
@@ -617,6 +716,97 @@ def __repr__(self):
         return "IAMClient(transport=%r, auth=%r)" % (self.transport, self.auth)
 
 
+class EmployeeClient(BaseClient):
+    """Internal SoftLayer Client
+
+    :param auth: auth driver that looks like SoftLayer.auth.AuthenticationBase
+    :param transport: An object that's callable with this signature: transport(SoftLayer.transports.Request)
+    """
+
+    def __init__(self, auth=None, transport=None, config_file=None, account_id=None):
+        BaseClient.__init__(self, auth, transport, config_file)
+        self.account_id = account_id
+
+
+    def authenticate_with_password(self, username, password, security_token=None):
+        """Performs IBM IAM Username/Password Authentication
+
+        :param string username: your softlayer username
+        :param string password: your softlayer password
+        :param int security_token: your 2FA token, prompt if None
+        """
+
+        self.auth = None
+        if security_token is None:
+            security_token = input("Enter your 2FA Token now: ")
+            if len(security_token) != 6:
+                raise Exception("Invalid security token: {}".format(security_token))
+
+        auth_result = self.call('SoftLayer_User_Employee', 'performExternalAuthentication',
+                                username, password, security_token)
+
+
+        self.settings['softlayer']['access_token'] = auth_result['hash']
+        self.settings['softlayer']['userid'] = str(auth_result['userId'])
+        # self.settings['softlayer']['refresh_token'] = tokens['refresh_token']
+
+        config.write_config(self.settings, self.config_file)
+        self.auth = slauth.EmployeeAuthentication(auth_result['userId'], auth_result['hash'])
+
+        return auth_result
+
+
+
+    def authenticate_with_hash(self, userId, access_token):
+        """Authenticates to the Internal SL API with an employee userid + token
+
+        :param string userId: Employee UserId
+        :param string access_token: Employee Hash Token
+        """
+        self.auth = slauth.EmployeeAuthentication(userId, access_token)
+
+    def refresh_token(self, userId, auth_token):
+        """Refreshes the login token"""
+
+        # Go directly to base client, to avoid infite loop if the token is super expired.
+        auth_result = BaseClient.call(self, 'SoftLayer_User_Employee', 'refreshEncryptedToken', auth_token, id=userId)
+        if len(auth_result) > 1:
+            for returned_data in auth_result:
+                # Access tokens should be 188 characters, but just incase its longer or something.
+                if len(returned_data) > 180:
+                    self.settings['softlayer']['access_token'] = returned_data
+        else:
+            message = "Excepted 2 properties from refreshEncryptedToken, got {}|".format(auth_result)
+            raise exceptions.SoftLayerAPIError(message)
+
+        config.write_config(self.settings, self.config_file)
+        self.auth = slauth.EmployeeAuthentication(userId, auth_result[0])
+        return auth_result
+
+    def call(self, service, method, *args, **kwargs):
+        """Handles refreshing Employee tokens in case of a HTTP 401 error"""
+        if (service == 'SoftLayer_Account' or service == 'Account') and not kwargs.get('id'):
+            if not self.account_id:
+                raise exceptions.SoftLayerError("SoftLayer_Account service requires an ID")
+            kwargs['id'] = self.account_id
+
+        try:
+            return BaseClient.call(self, service, method, *args, **kwargs)
+        except exceptions.SoftLayerAPIError as ex:
+            if ex.faultCode == "SoftLayer_Exception_EncryptedToken_Expired":
+                userId = self.settings['softlayer'].get('userid')
+                access_token = self.settings['softlayer'].get('access_token')
+                LOGGER.warning("Token has expired, trying to refresh. %s", ex.faultString)
+                self.refresh_token(userId, access_token)
+                # Try the Call again this time....
+                return BaseClient.call(self, service, method, *args, **kwargs)
+
+            else:
+                raise ex
+
+    def __repr__(self):
+        return "EmployeeClient(transport=%r, auth=%r)" % (self.transport, self.auth)
+
 class Service(object):
     """A SoftLayer Service.
 

SoftLayer/CLI/core.py

@@ -69,9 +69,8 @@ def get_version_message(ctx, param, value):
     ctx.exit()
 
 
-@click.group(help="SoftLayer Command-line Client",
-             epilog="""To use most commands your SoftLayer username and api_key need to be configured.
-The easiest way to do that is to use: 'slcli setup'""",
+@click.group(help="SoftLayer Employee Command-line Client",
+             epilog="""Run 'islcli login' to authenticate""",
              cls=CommandLoader,
              context_settings=CONTEXT_SETTINGS)
 @click.option('--format',
@@ -102,6 +101,7 @@ def get_version_message(ctx, param, value):
               help="Use demo data instead of actually making API calls")
 @click.option('--version', is_flag=True, expose_value=False, is_eager=True, callback=get_version_message,
               help="Show version information.",  allow_from_autoenv=False,)
+@click.option('--account', '-a', help="Account Id")
 @environment.pass_env
 def cli(env,
         format='table',
@@ -110,6 +110,7 @@ def cli(env,
         proxy=None,
         really=False,
         demo=False,
+        account=None,
         **kwargs):
     """Main click CLI entry-point."""
 
@@ -133,6 +134,8 @@ def cli(env,
     env.vars['_timings'] = SoftLayer.DebugTransport(env.client.transport)
     env.vars['verbose'] = verbose
     env.client.transport = env.vars['_timings']
+    print("Account ID is now: {}".format(account))
+    env.client.account_id = account
 
 
 @cli.result_callback()

SoftLayer/CLI/environment.py

@@ -189,7 +189,7 @@ def ensure_client(self, config_file=None, is_demo=False, proxy=None):
             )
         else:
             # Create SL Client
-            client = SoftLayer.create_client_from_env(
+            client = SoftLayer.employee_client(
                 proxy=proxy,
                 config_file=config_file,
             )

SoftLayer/CLI/login.py

@@ -0,0 +1,72 @@
+"""Login with your employee username, password, 2fa token"""
+# :license: MIT, see LICENSE for more details.
+
+import click
+import os 
+
+
+from SoftLayer.API import EmployeeClient
+from SoftLayer.CLI.command import SLCommand as SLCommand
+from SoftLayer import config
+from SoftLayer import consts
+from SoftLayer.CLI import environment
+
+
+# def get_username(env):
+#     """Gets the username from config or env"""
+#     settings = 
+
+def censor_password(value):
+    if value:
+        value = '*' * len(value)
+    return value
+
+@click.command(cls=SLCommand)
+@environment.pass_env
+def cli(env):
+    """Logs you into the internal SoftLayer Network.
+
+    username: Set this in either the softlayer config, or SL_USER ENV variable 
+    password: Set this in SL_PASSWORD env variable. You will be prompted for them otherwise.
+    """
+    config_settings = config.get_config(config_file=env.config_file)
+    settings = config_settings['softlayer']
+    username = settings.get('username') or os.environ.get('SLCLI_USER', None)
+    password = os.environ.get('SLCLI_PASSWORD', '')
+    yubi = None
+    client = env.client
+
+    # Might already be logged in, try and refresh token
+    if settings.get('access_token') and settings.get('userid'):
+        client.authenticate_with_hash(settings.get('userid'), settings.get('access_token'))
+        try:
+            employee = client.call('SoftLayer_User_Employee', 'getObject', id=settings.get('userid'), mask="mask[id,username]")
+            print(employee)
+            client.refresh_token(settings.get('userid'), settings.get('access_token'))
+            refresh = client.call('SoftLayer_User_Employee', 'refreshEncryptedToken', settings.get('access_token'), id=settings.get('userid'))
+
+            config_settings['softlayer'] = settings
+            config.write_config(config_settings, env.config_file)
+            return
+        except Exception as ex:
+            print("Error with Hash Authentication, try with password: {}".format(ex))
+
+
+    url = settings.get('endpoint_url') or consts.API_EMPLOYEE_ENDPOINT
+    click.echo("URL: {}".format(url))
+    if username is None:
+        username = input("Username: ")
+    click.echo("Username: {}".format(username))
+    if not password:
+        password = env.getpass("Password: ")
+    click.echo("Password: {}".format(censor_password(password)))
+    yubi = input("Yubi: ")
+
+    
+    try:
+        result = client.authenticate_with_password(username, password, str(yubi))
+        print(result)
+    except Exception as e:
+        click.echo("EXCEPTION: {}".format(e))
+
+    print("OK")

SoftLayer/CLI/routes.py

@@ -8,6 +8,7 @@
 
 ALL_ROUTES = [
     ('shell', 'SoftLayer.shell.core:cli'),
+    ('login', 'SoftLayer.CLI.login:cli'),
 
     ('call-api', 'SoftLayer.CLI.call_api:cli'),